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DETAILED ACTION 

1 . This Office Action is responding to the Amendment received on 10/03/05. 

2. Claims 1,4-19, 21-27, 29-31, and 33-42 are pending. Claims 2, 3, 20, 28, and 
32 are canceled. 

Response to Arguments 

3. Applicant's arguments filed 10/03/05 in regarding to the rejection of claims 1 and 
4-7 under 35 USC $101 have been fully considered but they are not persuasive. 

4. As per remarks on page 14 3 rd paragraph, Applicant argues that "The terms 
"system", "pluggable security policy enforcement module," and "business logic" 
all point to physical mechanisms for implementing the invention, rather than a 
mere descriptive recitation of a program per se". Examiner does not agree with 
the Applicant. The terms "System", "pluggable security policy enforcement 
module," and "business logic" are clearly pointing to a descriptive program 
language. There is no evidence of hardware involvement. 

5. In response to applicant's argument that the references fail to show certain 
features of applicant's invention, it is noted that the features upon which applicant 
relies (i.e., The terms "system", "pluggable security policy enforcement module," 
and "business logic" all point to physical mechanisms for implementing the 
invention") are not recited in the rejected claim(s). Although the claims are 
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interpreted in light of the specification, limitations from the specification are not 
read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 
(Fed. Cir. 1993). 



6. Further, Applicant argues that ""business logic" is recited which "processes 

requests," these claims refer to a physical agent which performs the processing, 
rather than a mere description of what the processing entails". Once again, 
Examiner does not agree with the Applicant. As written in claim 1 , the limitation 
"wherein business logic processes requests submitted to the system , wherein the 
business logic contains problem solving logic that produces solutions for a 
particular problem domain... " does not recite an absolute meaning that the 
business logic is a computer hardware or a program or code in a computer 
readable medium processes the requests submitted to the system. Alternatively, 
it could still be interpreted as just an characteristic of the design of the software 
program that is capable of processing a reguest . Applicant needs to make 
appropriate modification to the claim language to clearly justify that the business 
logic is an actually software program or code on a computer readable medium to 
over come the 35 USC §101. 
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Claim Rejections - 35 USC § 101 

7. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

8. Claims 1-2 and 4-7 are rejected under 35 U.S.C. 101 because the claimed 
invention is directed to non-statutory subject matter. The language of the claims 
1-7 consists solely of computer program, which is nonstatutory functional 
descriptive material. A system of computer program is also nonstatutory 
functional descriptive material. The language ("system", "pluggable security 
policy enforcement module", "business logic", and "the business logic processes 
requests submitted to the system") of the claims does not recite any computer 
hardware involvement. See argument above. 



Claim Rejections - 35 USC § 102 

9. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 
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10. Claims 1,4-19, 21-27, 29-31, and 33-42 are rejected under 35 U.S.C. 102(e) as 
being anticipated by Andrews et al, US Patent No. 6487665B1, hereinafter "Andrews". 
(Cited in PTO 892 dated 6/03/05) 

11. As per claim 1: 

Andrew discloses "Andrew discloses "A system comprising: a pluggable security policy 
enforcement module configured to be replaceable in the system and to provide different 
granularities of control for a business logic in the system, wherein, business logic 
processes requests submitted to the system, wherein the business logic contains 
problem solving logic that produces solutions for a particular problem domain" in (Col 7 
lines 53-67, and Col 8 lines 25-50), "wherein the pluggable security policy enforcement 
module is configured to determine, for a particular granularity of control, whether to 
permit an operation, requested by a user based at least in part on a permission 
assigned to the user" in (Col 8 lines 25-50), and "wherein the different granularities of 
control comprise a plurality of sets of rules that can be replaced with each other without 
altering the business logic" in (Col 7 lines 60-67, Col 17 lines 42-65, and Col 1 1 lines 
30-60 (A set of rules associates with each role of many roles. For instance, the user 
can call the method and can also control access at the application, object, and interface 
level in~(Col 1 1 lines 55-60), and the manager can have other accesses. Each control 
access is a security or policy setting associating with the application, object, and 
interface level). 
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12. Asperdaim4: 

Andrew discloses "Andrew discloses "A system comprising: a pluggable security policy 
enforcement module configured to be replaceable in the system and to provide different 
granularities of control for a business logic in the system, wherein the business logic 
processes requests submitted to the system, wherein the business logic contains problem- 
solving logic that produces solutions for a particular problem domain" in (Col 7 lines 53-67, 
Col 8 lines 25-50, and Col 14 lines 27-45), "wherein the pluggable security policy 
enforcement module includes a control module configured to determine whether to permit an 
operation based at least in part on accessing the business logic to identify one or more 
additional tests to perform, and further configured to perform the one or more additional tests" 
in (Col 11 lines 30-60, and Col 17 lines 43-58). 

13. As per claim 5: 

Andrew discloses "Andrew discloses "A system as recited in claim 4, wherein the control 
module is further configured to return a result of the determining to the business logic" in 
(Col 6 lines 57-65). 

14. Asperclaim6: 

Andrew discloses "A system comprising: a pluggable security policy enforcement module 
configured to be replaceable in the system and to provide different granularities of control for 
a business logic in the system, wherein the business logic processes requests submitted to 
the system, wherein the different granularities of control comprise a plurality of sets of rules, 
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and wherein each set of rules includes a plurality of permission assignment objects" in (Col 7 
lines 53-67, Col 8 lines 25-50, and Col 14 lines 27-45), "wherein each of the permission 
assignment objects associates a user with a particular role, wherein each particular role is 
associated with one or more permissions, and wherein each of the one or more permissions 
identifies a particular operation and context on which the operation is to be performed" in (Col 
7 lines 60-67, Col 17 lines 42-65, and Col 1 1 lines 30-60 (A set of rules associates with 
each role of many roles. For instance, the user can call the method and can also 
control access at the application, object, and interface level in (Col 11 lines 55-60), and 
the manager can have other accesses. Each control access is a security or policy 
setting associating with the application, object, and interface level). 

15. As per claim 7: 

Andrew discloses "A system as recited in claim 6, wherein each of the permission 
assignment objects further identifies whether the one or more permissions in the particular 
role are granted to the user or denied to the user" in (Col 1 1 lines 29-60, and Col 17 lines 42- 
58). 



16. As per claim 8: 

Andrew discloses "One or more computer-readable media comprising computer-executable 
instructions that, when executed, direct a processor to perform acts including: 
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receiving a request to perform an operation; checking whether to access a business logic in 
order to generate a result for the requested operation wherein the business logic contains 
problem-solving logic that produces solutions for a particular, problem domain" in (Col 7 
lines 53-67, Col 8 lines 25-50, and Col 14 lines 27-45); "obtaining, from the business logic, 
a set of zero or more additional tests to be performed in order to generate the result; 
performing each additional test in the set of tests if there is at least one test in the set of 
tests; checking a set of pluggable rules to determine the result of the requested operation; 
and returning, as the result, a failure indication if checking the business logic or checking the 
set of pluggable rules indicates that the result is a failure, otherwise returning, as the result, 
a success indication" in (Col 7 lines 60-67, Col 17 lines 42-65, and Col 1 1 lines 30-60 (A 
set of rules associates with each role of many roles. For instance, the user can call the 
method and can also control access at the application, object, and interface level in (Col 
1 1 lines 55-60), and the manager can have other accesses. Each control access is a 
security or policy setting associating with the application, object, and interface level). 

17. As per claim 9: 

Andrew discloses "One or more computer-readable media as recited in claim 8, wherein the 
receiving comprises receiving, from the business logic, the request to perform the operation" 
in (Col 1 1 lines 29-60, and Col 17 lines 42-58).. 
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18. As per claim 10: 

Andrew discloses "One or more computer-readable media as recited in claim 8, wherein the 
receiving comprises receiving, as part of the request, an indication of a user, and wherein the 
checking the set of pluggable rules comprises comparing an object associated with the user 
to the rules in the set of pluggable rules and determining whether the operation can be 
performed based at least in part on whether the user is permitted to perform the operation" 
in (Col 1 1 lines 29-60, and Col 17 lines 42-58).. 

19. Asperclaim 11: 

Andrew discloses "One or more computer-readable media as recited in claim 8, wherein the 
receiving comprises having one of a plurality of methods invoked" in (Col 1 1 lines 29-60, and 
Col 17 lines 42-58). 

20. Asperclaim 12: 

Andrew discloses "One or more computer-readable media as recited in claim 8, wherein the 
set of pluggable rules is a set of security rules defined using high-level permission concepts" 
in (Col 1 1 lines 29-60, and Col 17 lines 42-58).. 

21. Asperclaim 13; 

Andrew discloses "One or more computer-readable media as recited in claim 12, wherein the 
high-level permission concepts include an operation and a context, wherein the operation 
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allows identification of an operation to be performed and the context allows identification of 
what the operation is to be performed on" in (Col 1 1 lines 29-60, and Col 17 lines 42-58). 

22. As per claim 14: 

Andrew discloses "One or more computer-readable media as recited in claim 8, wherein the 
computer-executable instructions are implemented as an object" in (Col 6 lines 57-65). 

23. As per claim 15: 

Andrew discloses "One or more computer-readable media as recited in claim 8, wherein the 
computer-executable instructions further direct the processor to perform acts including: 
determining if at least one of the tests in the set of zero or more additional tests would 
indicate a result of failure; and returning, as the result, the failure indication without checking 
the set of pluggable rules" in (Col 1 1 lines 29-60, and Col 17 lines 42-58). 

24. As per claim 16: 

Andrew discloses "One or more computer-readable media as recited in claim 8, wherein the 
set of pluggable rules can be replaced with another set of pluggable rules without altering the 
business logic" in (Col 7 lines 55-67, Col 1 1 lines 29-60, and Col 17 lines 42-58). 

25. As per claim 17: 

Andrew discloses "One or more computer-readable media as recited in claim 8, wherein the 
set of pluggable rules includes a plurality of permission assignment objects, wherein each of 
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the permission assignment object associates a user with a particular role, wherein each 
particular role is associated with one or more permissions, and wherein each of the one or 
more permissions identifies a particular operation and context on which the operation is to be 
performed" in (Col 1 1 lines 29-60, and Col 17 lines 42-58). 

26. As per claim 18: 

Andrew discloses "One or more computer-readable media as recited in claim 17, wherein 
each of the permission assignment objects further identifies whether the one or more 
permissions in the particular role are granted to the user or denied to the user" in (Col 1 1 
lines 29-60, and Col 1 7 lines 42-58). 

27. As per claim 19: 

Andrew discloses "A method comprising: providing high-level permission concepts for 
security rules; allowing a set of security rules to be defined using the high-level permission 
concepts, wherein the set of security rules allows permissions to be assigned to users of an 
application; and determining, based at least in part on a permission assigned to a user, 
whether to permit an operation based on a request by the user, wherein the determining 
further comprises determining whether to permit the, operation requested by the user based 
at least in part on accessing a business logic to the one or more additional tests, wherein the 
business logic contains problem-solving logic that produces solutions for a particular problem 
domain" in (Col 1 1 lines 29-60, and Col 17 lines 42-58).. 
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28. As per claim 21: 

Andrew discloses "A method as recited in claim 9 further comprising returning a result of the 
determining to the business logic" in (Col 1 1 lines 29-60, and Col 17 lines 42-58). 

29. As per claim 22: 

Andrew discloses "A method as recited in claim 19, wherein the high-level permission 
concepts include an operation and a context, wherein the operation allows identification of 
an operation to be performed and the context allows identification of what the operation is 
to be performed on" in (Col 1 1 lines 29-60, and Col 17 lines 42-58).. 

30. As per claim 23: 

Andrew discloses "A method as recited in claim 19, wherein the method is implemented in an 
object having a plurality of interfaces for requesting a determination as to whether to permit a 
plurality of operations including the operation requested by the user" in (Col 1 1 lines 29-60, 
and Col 17 lines 42-58). 

31. As per claim 24: 

Andrew discloses "A method as recited in claim 19, wherein the set of security rules includes 
a plurality of permission assignment objects, wherein each of the permission assignment 
objects associates a user with a particular role, wherein each particular role is associated with 
one or more permissions, and wherein each of the one or more permissions identifies a 
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particular operation and context on which the operation is to be performed" in (Col 1 1 
lines 29-60, and Col 1 7 lines 42-58). 



32. As per claim 25: 

. Andrew discloses "A method as recited in claim 24, wherein each of the permission 
assignment objects further identifies whether the one or more permissions in the particular 
role are granted to the user or denied to the user" in (Col 1 1 lines 29-60, and Col 17 lines 42- 
58).. 



33. As per claim 26: 

Andrew discloses "A method comprising: receiving a request to perform an operation 
associated with business logic, wherein the business logic contains problem-solving logic that 
produces solutions for a particular problem domain" in (Col 7 lines 53-67, and Col 8 lines 
25-50), "accessing a set of low-level rules, wherein the low-level rules are defined in terms of 
high-level concepts; checking whether a user requesting to perform the operation is entitled to 
perform the operation based at least in part on the set of low-level rules; and returning an 
indication of whether the operation is allowed or not allowed, wherein the set of low-level 
rules can be replaced with another set of low-level rules without altering the business logic" 
in (Col 7 lines 60-67, Col 17 lines 42-65, and Col 11 lines 30-60 (A set of rules 
associates with each role of many roles. For instance, the user can call the method and 
can also control access at the application, object, and interface level in (Col 1 1 lines 55- 
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60), and the manager can have other accesses. Each control access is a security or 
policy setting associating with the application, object, and interface level). 

34. As per claim 27: 

Andrew discloses "A method as recited in claim 26, wherein the checking further 
comprises checking whether the user is entitled to perform the operation based at least in 
part on accessing the business logic to identify one or more additional tests to perform, and 
further comprising performing the one or more additional tests" in (Col 7 lines 55-67, Col 1 1 
lines 29^60, and Col 17 lines 42-58). 

35. As per claim 29: 

Andrew discloses "A method as recited in claim 27, further comprising returning the indication 
to the business logic" in (Col 7 lines 55-67, Col 1 1 lines 29-60, and Col 17 lines 42-58). 

36. As per claim 30: 

Andrew discloses "A method as recited in claim 26, wherein the low-level rules include a 
plurality of permission assignment objects, wherein each of the permission assignment 
objects associates a user with a particular role, wherein each particular role is associated with 
one or more permissions, and wherein each of the one or more permissions identifies a 
particular operation and context on which the operation is to be performed" in (Col 7 lines 
55-67, Col 1 1 lines 29-60, and Col 17 lines 42-58). 
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37. As per claim 31: 

Andrew discloses "A method comprising: assigning high level security concepts to an 
application domain; and allowing a set of pluggable rules to define low-level rules, in terms of the high 
level security concepts, for different business logic in the application domain" in (Col 7 lines 53-67, 
and Col 8 lines 25-50), "wherein each business logic contains p roblem-solving logic that produces 
solutions for a particular problem domain, wherein the high level security concepts include an 
operation that identified an operation to be performed., and a context that identifies what the 
operation is performed on" in (Col 7 lines 55-67, Col 1 1 lines 29-60, and Col 17 lines 42-58). 

38. As per claim 33: 

Andrew discloses "A method as recited in claim 31, further comprising: determining, based at 
least in part on a permission assigned to a user and on one or more additional tests identified 
by accessing the business logic, whether to permit an operation based on a request by the 
user" in (Col 7 lines 55-67, Col 1 1 lines 29-60, and Col 17 lines 42-58). 

39. As per dam 34 

Andrew discloses "A method as recited in claim 33, further comprising returning a result of the 
determining to the business logic" in (Col 7 lines 55-67, Col 11 lines 29-60, and Col 17 lines 42- 
58). 
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40. As per claim 35: 

Andrew discloses "An architecture comprising: a plurality of resources; a business logic layer 
to process, based at least in part on the plurality of resources, requests received from a 
client, wherein the business logic layer contains problem-solving logic that produces solutions 
for particular problem domain; and a pluggable security policy enforcement module, separate 
from the business layer, to enforce security restrictions on accessing information stored at the 
plurality of resources" in (Col 6 lines 56-65, Col 7 lines 53-67, and Col 8 lines 25-50). 

41. As per claim 36: 

Andrew discloses "An architecture as recited in claim 35, wherein the pluggable security 
policy enforcement module defines high-level permission concepts for security rules and 
further defines a set of security rules using the high-level permission concepts" in (Col 7 lines 
55-67, Col 11 lines 29-60, and Col 17 lines 42-58). 

42. As per claim 37: 

Andrew discloses "An architecture as recited in claim 36, wherein the high-level permission 
concepts include an operation and a context, wherein the operation allows identification of an 
operation to be performed and the context allows identification of what the operation is to be 
performed on" in (Col 7 lines 55-67, Col 1 1 lines 29-60, and Col 17 lines 42-58). 
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43. As per claim 38: 

Andrew discloses "An architecture as recited In claim 35, wherein the pluggable security 
policy enforcement module can be replaced with another pluggable security policy 
enforcement module to enforce different security restrictions without altering the business 
logic layer" in (Col 7 lines 55-67, Col 1 1 lines 29-60, and Col 17 lines 42-58). 

44. As per claim 39: 

Andrew discloses "An architecture as recited in claim 35, wherein the pluggable security 
policy enforcement module is configured to determine, based at least in part on a permission 
assigned to a user and on one or more additional tests identified by accessing the business 
logic layer, whether to permit an operation to access information at the plurality of resources" 
in (Col 7 lines 55-67, Col 1 1 lines 29-60, and Col 17 lines 42-58). 

45. As per claim 40: 

Andrew discloses "A system as recited in claim 1, wherein the system is configured as a 
multi-layer architecture, wherein the business logic is implemented as a business logic 
layer of the multi-layer architecture" in (Col 7 lines 55-67, Col 1 1 lines 29-60, and Col 17 
lines 42-58). 

46. As per claim 41: 

Andrew discloses "A system as recited in claim 1 , wherein the pluggable security 
policy enforcement module is configured to receive an input from the business logic in 
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the form of a user indication and an item indication" in (Col 7 lines 55-67, Col 1 1 lines 29- 
60, and Col 17 lines 42-58). 

47. As per claim 42: 

Andrew discloses "A system as recited in claim 1 , wherein the pluggable security policy 
module includes an interface that provides the following interface functionality: first 
functionality for testing whether an identified item can be approved by a specified user; 
second functionality for testing whether the identified item of a specified type can be 
created by the specified user; third functionality for testing whether the identified item can 
be deleted by the specified user; fourth functionality -for testing whether the identified item 
can be modified by the specified user; and fifth functionality for testing whether, the identified 
user can examine details of the identified item" in (Col 7 lines 55-67, Col 1 1 lines 29-60, Col 
12 lines 47-52, and Col 17 lines 42-58). 
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Conclusion 

48. Applicant has amended claims 1, 4, 8, 19, 21, 26, 27, 31, and 35, which 
necessitated new grounds of rejection. See Rejections above. 

49. Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 

§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

1 . Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
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TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

50. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Linh LD Son whose telephone number is 571- 
272-3856. The examiner can normally be reached on 9-6 (M-F). 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on 571-272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 



Business Center (EBC) at 866-217-9197 (toll-free). 



Linh LD Son 




